Ukrainian officials are reporting that Russian hackers compromised a government file sharing system. The Russian hackers uploaded malicious documents to the file sharing system in an attempt to spread them to other parts of the government. The attack was on a web-based portal used by multiple Ukrainian government agencies to disseminate documents and information. The cyber criminals uploaded documents that if opened on a workstation, would spread malware on the system and allow hackers to gain access to the victim’s computer. Members of Ukraine’s National Security and Defense Council (NSDC) have linked the attack to a Russian state sponsored group, although they did not identify the group. This is the second Russian cyber-attack reported by the NSDC this week, on Monday they informed the public of DDoS attacks that targeted NSDC websites.
Although they did not publicly identify the threat actors, the NSDC published the following indicators of compromise:
• Domains: enterox.ru
• IP addresses: 220.127.116.11
• Link (URL): http://18.104.22.168/infant[.]php
Russia has a long history of cyber-attacks against Ukraine. These most recent attacks may be in response to the recent crackdown on cyber criminals by Ukrainian law enforcement. Binary Defense Analysts will continue to monitor this situation as it develops. In order to protect against these types of attacks, organizations should regularly patch software and operating systems to the latest available versions. Be sure to have alerts set up to detect when a document file launches an unusual process or network connection, and educate employees about the dangers of active content embedded in Word and Excel files. When an attack makes it through the outer layers of defense, it is important to have a third-party monitoring services such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.